Industry Insights with Mark McGlenn

General Data Protection Regulation (GDPR) , Governance & Risk Management , Incident & Breach Response

Procrastinators' Guide to GDPR Compliance

Organizations Are Not as Ready as They Might Believe
Procrastinators' Guide to GDPR Compliance

If you're paying attention, you've probably already seen a handful of General Data Protection Regulation headlines just today, let alone in the last week or month. But there are two good reasons for the deluge of GDPR discussion right now: It's incredibly important and the time to act is now.

If you're one of those ninth inning, hit it out of the park types, you're up. The European Union has imposed a May 25 GDPR enforcement deadline for any organization, regardless of location, that does business with any of the EU's approximately 500 million residents. And noncompliance could cost you the ball game with a price tag of up to 4 percent of your annual global revenue or €20 million, whichever is higher.

In a recent survey of Fortune 500 firms, 98 percent reported being on track with GDPR compliance efforts. Unfortunately, though, the survey then went on to show far too many "no's" to specific "have you done" questions. Organizations just aren't as ready as they think they are, and odds are good your organziation could be better prepared. If you've procrastinated on this process - and just about everyone has, as studies show - start now by taking a hard look at these three foundational areas.

  1. Build your team: GDPR requires the appointment of a data privacy officer. This could be a new position or you could add/change duties for someone already on staff. This position could be a full-time employee or an external consultant. Regardless of the approach you take, someone with compliance expertise is needed to inform your organization of its GDPR obligations, monitor compliance and serve as the liaison with the supervising authority. You'll need a DPO at a minimum. But even better is the appointment of a cross-functional team that can educate others in the organization while planning for and responding to data privacy issues across the organization.
  2. Map your data: Identify the data sets in your organization's control (for both customers and employees) and the legal basis for processing personal data. Also, if you have more than 250 employees, maintain documentation of all processing activities, including: controller and processor contact information; purposes for processing; categories of subjects and personal data; recipients of data disclosures, including country or international organization; and your in-use security measures. Records of this information will need to be available if the regulating authority wants to perform an audit.
  3. Write an incident response plan: In the event a security incident does occur, GDPR requires disclosure to supervisory authorities and applicable users within 72 hours. So that you may issue notifications within that time period, develop an IR plan that clearly defines what constitutes a breach, the rules that apply, and the assets you have in play to investigate and respond. Remember, you can avoid notification requirements if you can render the personal data unintelligible or inaccessible.

Meeting GDPR compliance requirements is a complex process whereby many more details must be addressed. Learn more tips from Absolute's webinar GDPR Compliance Masterclass where you'll gain valuable insight from a panel of experts. As we enter the home stretch for this regulation, it's definitely better to be late to the game than to never get started.

GDPR Compliance MasterClass

Prepare for GDPR compliance with tips from industry experts!

Watch webinar now

About the Author

Mark McGlenn

Mark McGlenn

Senior Manager of Risk and Compliance Services, Absolute Software

McGlenn is Senior Manager of Risk and Compliance Services for Absolute. He has more than 15 years of experience in internal audit, compliance testing, risk management, IT security, accounting, and fraud prevention. He has developed and managed risk-based corporate internal audit programs with a focus on compliance testing (SOX, PCI, AML) and process and internal control improvements. Leveraging best practices such as CIS Critical Controls, NIST CSF, NIST 800-53, McGlenn has designed cyber-security assessment procedures and performed engagements in both the public and private sectors. His unique experiences assist Absolute customers in addressing compliance concerns and securing the endpoint.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.